About the security content of QuickTime 7.6.2

This document describes the security content of QuickTime 7.6.2.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

QuickTime 7.6.2

Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Sorenson 3 video files. Credit to Carsten Eiram of Secunia Research for reporting this issue.

Impact: Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

Impact: Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Damian Put working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime

CVE-ID: CVE-2009-0010

Available for: Windows Vista and XP SP3

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Description: An integer underflow in QuickTime's handling of PICT images may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to Sebastian Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to Sebastian Apelt working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime

CVE-ID: CVE-2009-0954

Available for: Windows Vista and XP SP3

Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in QuickTime's handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X systems. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Alin Rad Pop of Secunia Research for reporting this issue.

Impact: Opening a maliciously crafted video file may lead to an unexpected application termination or arbitrary code execution

Description: A sign extension issue exists in QuickTime's handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of description atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.

Impact: Viewing a movie file with a maliciously crafted user data atom may lead to an unexpected application termination or arbitrary code execution

Description: An uninitialized memory access issue exists in QuickTime's handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files, and presenting a warning dialog to the user. Credit to Lurene Grenier of Sourcefire, Inc. (VRT) for reporting this issue.

Impact: Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Charlie Miller of Independent Security Evaluators, and Damian Put working with TippingPoint's Zero Day Initiative for reporting this issue.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.